Researchers at security firm zvelo have discovered
that they can crack a Google Wallet PIN using a brute force attack on a
device that is "rooted"--i.e., freed of security restrictions imposed
by wireless carriers.
But don't panic. Chances are your
Android
device isn't rooted; typically only developers and true geeks are
willing to root the device, which gives the user full control of the
device with "root" privileges, but also removes certain protections.
And someone would have to get physical access to the device and install
password cracking software on it to get to the PIN. If someone tries to
root a device without the owner's permission, the phone wipes itself of
all data, including the PIN, according to Google.
As Google says in this statement:The zvelo study was conducted on their own phone on which
they disabled the security mechanisms that protect Google Wallet by
rooting the device. To date, there is no known vulnerability that
enables someone to take a consumer phone and gain root access while
preserving any Wallet information such as the PIN.
Google is working on a fix and in the meantime advises Google Wallet
users to not root their phones and to set up a screen lock on the
device. Zvelo also recommends disabling USB Debugging and enabling full
disk encryption, for the truly paranoid.